Skip to main content

Data Security Standard 4 - Managing data access

Date Published:
28 September 2023

Current Chapter

Data Security Standard 4 - Managing data access

View all

Next Chapter

Systems holding personal confidential information - part 1 (4.1.1 - 4.2.4)

This guidance relates to the 2023-24 (version 6) standard. 

Personal confidential data is only accessible to staff who need it for their current role and access is removed as soon as it is no longer required. All access to personal confidential data on IT systems can be attributed to individuals.

Standard 4, National Data Guardian (NDG) review

 

The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see. Staff do not accumulate system access over time.

User privileges are proactively managed so that there is, as far as is practicable, a forensic trail back to a specific user or user group. Additionally, elevated rights are regularly reviewed to ensure a business need remains. Where necessary, organisations will look to non-technical means of recording IT usage (such as sign-in sheets, CCTV, correlation with other systems and shift rosters).

Please refer to further note on professional judgement, auditing and UK General Data Protection Regulation (UK GDPR).

Last edited: 28 September 2023 11:11 am

Chapters

  1. Data Security Standard 4 - Managing data access
  2. Systems holding personal confidential information - part 1 (4.1.1 - 4.2.4)
  3. Systems holding personal confidential information - part 2 (4.3.1 - 4.5.5)